Can We Bring VRRP Down?
Virtual Router Back-up Agreement (VRRP) is the accepted agnate of Hot Standby
Router Agreement (HSRP). The aforementioned vulnerabilities abide in VRRP as in HSRP with minor
differences, such as abnegation of account (DoS), man in the average (MITM) advance (rerouting
traffic through the hacker’s PC), and some advice leakage. Acknowledgment techniques,
including able affidavit and the use of admission ascendancy account (ACL), are additionally described
to accomplish VRRP a absolute high-availability band-aid instead of a DoS target.
Discovering VRRP
Even if you are accustomed with how VRRP works, feel chargeless to apprehend on to brace your
knowledge or to accumulate new information, because this area focuses on specific points
linked to the aegis aspects of VRRP.
In VRRP, anniversary concrete router has its own MAC and IP addresses, but it additionally shares one
MAC abode and one IP abode for the basic router. Figure 10-1 depicts such a topology
when the VRRP accumulation consists of two routers. There is a change in the terminology
compared to HSRP:
• Adept router: The router that is currently forwarding packets.
• Advancement routers: The routers that are in standby and are not currently forwarding
packets. They accept to VRRP packets from the adept router to ascertain whether it is
active.
In Figure 10-1, the altered IP addresses are as follows:
• 192.168.0.7: IP abode of interface FastEthernet 0/0 of concrete router A.
• 192.168.0.9: IP abode of interface FastEthernet 0/0 of concrete router B.
• 192.168.0.8: IP abode of the interface of the basic router. This is the aggregate IP
address.
158 Chapter 10: Can We Bring VRRP Down?
Figure 10-1 Typical VRRP Topology
An IP multicast abode is acclimated as the destination of all VRRP messages: 224.0.0.18. This
address is aural the articulation bounded scope, 224.0.0.0/24.
By definition, all addresses in the articulation bounded ambit are alone accurate aural a articulation (that is, within
the LAN); packets destined to such a articulation bounded abode are never baffled alfresco the LAN.
This additionally agency that no antagonist will anytime be able to accelerate a artificial VRRP packet to a remote
LAN because all routers in the aisle will artlessly bead this packet.
Figure 10-1 additionally shows the three altered MAC addresses used:
• Absolute MAC abode of the concrete router A.
• Absolute MAC abode of the concrete router B.
• MAC abode of the basic router. (In this specific configuration, it is
0000.5E00.0101.)
NOTE The basic MAC abode is consistently in the anatomy 0000.5E00.01xx, area xx is the VRRP
group cardinal (that is, an identification of the VRRP accumulation of adept and advancement routers).
The accumulation cardinal is appropriate to abstain MAC abode battle back assorted VRRP virtual
routers abide on the aforementioned LAN. This is the aforementioned abstraction as in HSRP. No specific semantic
is associated to a accumulation number; it aloof needs to be altered on the LAN.
The use of the MAC and IP addresses is agnate to HSRP. All end hosts consistently use the
virtual MAC abode to accelerate to the adept router. The adept router sends its periodic
VRRP packets with the basic MAC abode as its antecedent so that switches can apprentice this
address in their content-addressable anamnesis (CAM) table.
Normal Hosts with a Default Route to 192.168.0.8
Router A
IP: 192.168.0.7
MAC: from Hardware
Virtual Router
IP: 192.168.0.8
MAC: 0000.5E00.0101
Router B
IP: 192.168.0.9
MAC: from Hardware
VRRP Group
Discovering VRRP 159
The adept alternate VRRP packets are additionally a bloom arresting for the advancement routers. The
absence of this alternate VRRP packet triggers the advancement routers to change roles and
become active.
A aberration of VRRP compared to HSRP is that the VRRP basic IP abode can be the
interface IP abode of the adept router. With HSRP, the basic IP abode was always
different than the HSRP primary router.
Diving Deep into VRRP
This area provides added abundant advice on VRRP, as declared in RFC 23381 and
RFC 37682. VRRP runs on top of IP application Agreement 112. Packets are beatific to multicast
address 224.0.0.18 with TTL 255. Routers use their absolute IP abode as the antecedent address
for agreement packets, not the basic IP address.
NOTE A lot of advice about VRRP exists on the web and in books, as declared in RFC 2338
and RFC 3768.
Only the adept router sends alternate VRRP letters by application the basic MAC address
as the antecedent to accumulate the switch’s CAM table up to date with the bounden of the basic MAC
address to a specific port. The about-face again uses this bounden to advanced frames addressed to
the basic MAC abode to the adept router.
The advancement routers irenic accept for those alternate VRRP packets to analysis whether the
master router is alive. If no adept exists, the advancement routers go through a quick election
process to actuate which router becomes the adept router.
The anew adopted router anon transmits a anatomy with the basic MAC abode as
the antecedent address. The switch’s CAM table is adapted with the new bounden to the anchorage of
the new master, and it anon starts forwarding all frames addressed to the virtual
MAC abode to the anchorage of the anew adopted adept router.
Figure 10-2 shows the VRRP packet format.
160 Chapter 10: Can We Bring VRRP Down?
Figure 10-2 VRRP Packet Format
Version Blazon Priority
Count IP
Virtual Router ID Addresses
Authentication
Type
Advertisement
Interval Checksum
IP Abode (1)
...
IP Abode (n)
Authentication Data (1)
Authentication Data (2)
The Affidavit Blazon and Affidavit Data fields are acclimated for authentication. In RFC
2338, the affidavit blazon could be none, argument based (such as in HSRP), or IP
Authentication Header (AH) from the IPsec protocol. Back text-based affidavit is
used, the aggregate abstruse is put in the bright in the Affidavit Data field. In RFC 3768,
which obsoletes RFC 2338, alone the “none” affidavit blazon is defined.
NOTE RFC 3768 explains the acumen why the clear-text and AH-based affidavit types have
been removed. Because alike with able authentication, such as AH (with antireplay),
nothing prevents added attacks (such as Abode Resolution Agreement [ARP] bluffing or
MAC spoofing), so there is no charge to accommodate a activity of apocryphal aegis by adding
authentication to VRRP.
Everyone does not allotment this point of view: As apparent in Chapters 2, “Defeating a Learning
Bridge’s Forwarding Process,” and 6, “Exploiting IPv4 ARP,” MAC and ARP bluffing can
be mitigated effectively; therefore, able affidavit still has amount back accompanying to a
secure basement applying the acknowledgment techniques adjoin MAC and ARP spoofing.
The Antecedence acreage elects the master. Back comparing the priorities of two altered routers,
the router with the numerically college antecedence wins the acclamation action and becomes the
master router.
In the case of routers with according priority, the router with the college IP abode wins the
election. As ahead explained, in VRRP, the basic IP abode can absolutely be the IP
address of one router aural the back-up accumulation (when the router is the master); in this
case, the adept router antecedence charge be set to 255 to consistently win in case of a tie.